The Data Protection Impact Assessment (DPIA) II (Consultation with the Data Subjects and the DPA)

The GDPR contains rules on when controllers are required to prepare a data protection impact assessment (DPIA), when they have to seek the views of data subjects or their representatives on the intended processing and, furthermore, when they are obliged to consult the supervisory authority prior to processing.

The Article 29 Data Protection Working Party (WP29) issued guidelines on the DPIA on 4 April 2017 (WP248), that were then revised on 4 October 2017, and that interpret the respective provisions of the GDPR (Articles 35-36 and Recitals 75-76, 84 and 90-95).

Below you will find a Q&A concerning the issue of seeking the views of data subjects and the prior consultation with the supervisory authority.

1. Who Is Required To Seek The Views Of Data Subjects?

Under the GDPR, where appropriate, the controller is required to seek the views of the data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

Thus, a business secret or commercial plan may serve as a ground for an exception to the requirement to seek the views of the data subjects. It is the controller that has to justify and demonstrate that seeking of such views is not required.

2. When Is Tt Required To Seek The Views Of The Data Subjects?

The GDPR provides that the controller is required to seek the views of the data subjects or their representatives on the intended processing, meaning that the seeking of the views has to occur prior to processing.

3. How Should The Controller Seek The Views Of The Data Subjects?

The GDPR is silent on this issue. The WP29 says in its guidelines that the “views could be sought through a variety of means” (e.g. a question or survey sent to the data controller’s potential customers).

In line with the principle of accountability,

- if the data controller’s final decision differs from the views of the data subjects, the reasons for proceeding or not with the data processing activity has to be documented;

- the data controller should also document the reasons why it has not sought the views of data subjects (e.g. doing so would be disproportionate or would endanger the business plans of the company).

4. When Is Tt Required To Consult The Supervisory Authority Prior To Processing?

If the controller is unable to reduce the identified high risks to an acceptable level, i.e. the remaining risks are still high, the controller is required to consult the supervisory authority prior to processing.

Examples of an unacceptable high residual risk:

- where the data subjects may encounter significant, or even irreversible, consequences, which they may not overcome (e.g. an illegitimate access to data leading to a threat on the life of the data subjects, a layoff, a financial threat);

- when it seems obvious that the risk will occur (e.g. the controller is not able to reduce the number of people accessing the data because of its sharing).

As regards the assessment of the level of the risk, the “Recommendations for a methodology of the assessment of severity of personal data breaches” issued by the European Union Agency for Network and Information Security gives useful and practical guidance.

5. What Information Has To Be Provided To TheSupervisory Authority?

The controller is required to provide to the supervisory authority the following information and documents:

(a) the respective responsibilities of the controller, joint controllers and processors involved in the processing;

(b) the purposes and means of the intended processing;

(c) the measures and safeguards provided to protect the rights and freedoms of data subjects;

(d) the contact details of the DPO, if any;

(e) the DPIA and

(f) any other information requested by the supervisory authority.

6. How Long Does A Consultation Last?

It depends on how the supervisory authority judges the case.

If the supervisory authority is of the opinion that the intended processing would infringe the GDPR (e.g. because the controller has insufficiently identified or mitigated the risk), the supervisory authority must, within a period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller. That period may be extended by six weeks, taking into account the complexity of the intended processing. Those periods may be suspended until the supervisory authority has obtained information it has requested for the purposes of the consultation.

Taking this into account, consultation may last for about 4 months or even more. Controllers are advised to take this into consideration and plan well ahead if they are about to launch a new data processing operation which requires a DPIA.

Member Log In

Feature

Millennial professionals say that achieving work-life integration is more important than all other job-related goals, including building wealth, according to a survey conducted by World Services Group. >

WSG Blog

When done correctly, blogging can truly separate you from others that do the same thing in the same area at the same level. The reason…blogging is meant to be current and opinionated. By putting a great analysis on the same information, you very quickly get considered an "expert". Consider...